A collaboration between leading content delivery networks and technology companies—some of them competitors—is in the midst of shutting down the largest botnet of mobile devices ever recorded.

The WireX botnet was detected on Aug. 17 after businesses in a number industries, most notably hospitality, porn and gambling, as well as domain registrars, reported signs of substantial distributed denial of service attacks.

The attacks, researchers from Akamai, Cloudflare, Flashpoint, Google, Oracle, RiskIQ and Team Cymru soon learned were emanating from tens of thousands to at times hundreds of thousands of Android devices. The mobile devices were infected by malicious apps that were sending in most cases an overwhelming number of requests over HTTPS to websites, sapping the resources of the servers standing up those sites.

Google has since removed 300 offending apps from Google Play and many third-party sites that scrape its store, and is taking steps to remove those apps from devices using its Play Protect service.

“Google mentioned that process does take some time, but it’s largely under way and almost complete,” said Justin Paine, head of trust and safety at Cloudflare. “In terms of risk from this botnet, at this point it’s largely neutralized and most of the phones have been cleaned up.”

The same cannot be said for domains in contact with and providing attack commands to these apps and infected devices. Those remain up and running, but law enforcement and investigators are attempting to have those shut down.

Some data shared by the collaborating companies indicates that at a minimum, 70,000 devices from more than 100 countries are infected, but Akamai reportedly saw spikes of 120,000 unique IPs involved. The fluctuation in numbers could be due to the fact that as mobile devices move from one cell tower to the next, new IPs are generated each time. Flashpoint’s director of security research Allison Nixon said that there were as many as 21,000 requests per second during peaks times of the attack.

“This is significant; that’s a lot of requests per second, and since this is happening over HTTPS, this is more resource-demanding,” she said.

Adding more intrigue to WireX is that it shares some characteristics with click-fraud malware known as Android Clicker, indicating that the attacker likely moved toward DDoS attacks in the recent past.

“When we uploaded samples to VirusTotal to check it against antivirus software, it was recognized as Android Clicker,” Nixon said. “We looked at samples from this campaign and there’s some of the same code, names and icons as in older samples engaging in click-fraud.”

Older samples of Android Clicker would cause Android devices to display streams of porn and gambling ads.

“I think this infrastructure used to be for some really shady ad networks stuff, and they pivoted at some point and it all became DDoS traffic,” Nixon said.

Jared Mauch of Akamai’s internetworking research and architecture team said the researchers were able to identify a broad set of applications involved in the attacks and decompile them to learn the command and control server behind the applications.

“This was something that led us to ID the domain names involved in attack activity,” Mauch said.

The malicious traffic to the targeted sites appeared benign enough to researchers, but as they dug deeper, they found distinctive 26-character User-Agent strings in logs submitted to them by victims. The attacks, in fact, date back to Aug. 2 and went relatively unnoticed until prolonged and more volumetric attacks were spotted starting Aug. 15 and peaked on Aug. 17. The User-Agent strings were 26-character lowercase English alphabet characters such as jigpuzbcomkenhvladtwysqfxr and yudjmikcvzoqwsbflghtxpanre. Later variants did vary the length and character sets involved.

Many of the applications involved were media players, ringtones or storage managers. Once they infected a device, they reached out to a command and control domain for attack commands. The apps used system resources, even if they were running in the background on an Android device, and were able to launch attacks even if the app was not in use.

“Investigation of the logs from attacks on August 17th revealed previous attacks meeting the same signature implicated the first Android application, ” twdlphqg_v1.3.5_apkpure.com.apk.” Researchers quickly grabbed examples of the application to understand how it works and determine if related applications might exist,” the researchers said in a statement released by all the collaborating vendors. “Searches using variations of the application name and parameters in the application bundle revealed multiple additional applications from the same, or similarly named authors, with comparable descriptions.”

The researchers were almost unanimous in saying that victims with some kind of mitigation service or on-premises hardware in place fared better than others who didn’t.

Cloudflare’s Paine said that large mobile botnets in the past have been used almost exclusively for click-fraud.

“To my knowledge, it is one of the biggest mobile botnets used to conduct attacks,” he said.

Categories: Malware